Security Expert Geer Sounds Off on Dismissal

Posted by: jonconley

Security Expert Geer Sounds Off on Dismissal - 10/02/03 12:48 AM

By Dennis Fisher
September 29, 2003


When @stake Inc. on Thursday announced that it had fired its CTO Dan Geer, no one was more surprised than Geer himself.

A security researcher and scientist with more than 30 years of experience, including work on some groundbreaking projects, Geer was let go just a day after the publication of a paper he co-authored that was sharply critical of Microsoft Corp.—one of @stake's customers. The paper covered the effects that Microsoft's monopolistic position have on the security of the Internet.

The paper argues that the dominance of Windows in the marketplace has created a monoculture in which all systems are more vulnerable to widespread attacks and viruses. Part of the answer to the problem, Geer and his collaborators wrote, is for enterprises to diversify their infrastructures with products from other vendors.

More on the report and its co-authors.

Software diversity in the name of security is by no means a new idea, but Geer and the other authors are all very visible in the high-tech industry, especially within the security community, and their opinions carry a certain weight. However, Geer said Monday that the opinions in the paper were no more controversial or edgy than many of the things he's said in speeches, interviews and other papers during his time with @stake.

"People say that if he was surprised [by being fired], he's an idiot. Well, I was surprised in this sense: I do this kind of thing all the time," Geer said in an interview from his home. "My job was to be out in front far enough that a company the size of @stake could be at the front of an industry like this."

Microsoft, based in Redmond, Wash., has used @stake's services for several years. Officials at @stake, in Cambridge, Mass., flatly deny any connection between this fact and Geer's firing and say that no one from Microsoft influenced their decision whatsoever.

But Geer isn't convinced. The company said Geer's last day as an employee was Tuesday, but the announcement wasn't made until Thursday, the day after the paper was published. Geer went on a conference call with reporters Wednesday morning and identified himself as an @stake employee and added that the opinions in the paper were his own and not the company's.

"The Venn diagram of facts doesn't intersect. The intersection of all of those statements is the null set," Geer said.

The paper generated a fair amount of controversy, with Microsoft officials defending the company's security practices and corporate policies and @stake employees making the media rounds to distance the company from Geer's statements.

Whether Microsoft had a hand in his demise "will be forever impossible to ascertain," Geer said. "One might say communication wasn't necessary. There's a school of thought that says that a phone call wasn't needed. The more powerful you are, the less likely you are to have to pick up the phone. At most, you could call it plausible deniability."

As an example of the kind of behind-the-scenes influence that large vendors have, Geer cited his efforts to find an academic security expert or two to sign on to the paper on software diversity. After contacting nine people and striking out each time, he gave up.

"All of them said it was too hot for their position," Geer said. "They enjoy the free speech benefits of tenure but not necessarily those of funding."

One of the researchers that Geer spoke with said he decided not to join the project for other reasons, but was nonetheless appalled by Geer's firing. Avi Rubin, associate professor of computer science at Johns Hopkins University in Baltimore, Md., and technical director of the university's Information Security Institute, is currently serving as an expert witness in a lawsuit against Microsoft and looked over drafts of the paper during its development, but ultimately felt that adding his name to the paper wasn't the best idea at the time. Still, he said he was upset by the implications of Geer losing his job.

"I think there should be a huge outcry over his firing. It is that kind of intimidation against scientists speaking their minds that can be extremely dangerous to our society," Rubin said.

Microsoft spokesmen denied that the company had any involvement in Geer's firing.

As for future projects, Geer said he's been inundated with offers and ideas. After all, he essentially created the security consulting industry more than a decade ago with his firm Geer-Zolot Associates and also oversaw the development on the Massachusetts Institute of Technology's Project Athena.

"The mail is still coming in fast and furious. No one's showed up with a boatload of money and said, 'Take it.' But the question now is, what's the wise thing to do," he said.


View article here @ [url=http://www.eweek.com[/url]eWeek[/url]